Sunday, February 10, 2013

Trojan Nap aka Kelihos/Hlux - Feb. 2013 Status Update

Update Feb 11, 2012 Regarding media headlines that it is a "new version": Please note that this post is a "status update" on the growth of the Kelihos botnet. It is the same botnet and malware as we saw last year. The goal of the post is to highlight the rapid re-growth after the March 2012 takedown and share the recent known domain/name server data.

FireEye posted details about the sleep function found in Kelihos/Hlux (An encounter with Trojan Nap), which is interesting, and indeed is present in some of the samples we saw. The trojan, of course, has many more features, and most of them were documented in previous publications online. This post is a quick update on the state of Kelihos/Hlux botnet, along with the list of known fast flux domains (1500+) associated with with Kelihos distribution or Command&Control. (current > 2012). The current and most active name servers are pointing to the ns[1-6].boomsco.com, ns[1-6].larstor.com, and ns[1-6].zempakiv.ru which are also fast flux domains. The double fast flux nature of the botnet makes it very difficult to take down, and sinkholing is a temporary measure. Despite the two large attempts to take it down (Sep.2011 and Mar. 2012), the botnet is definitely on the rise again.

List of files sorted by PE header Time Date stamp. It is not always indicative of age (and in this case all samples are recent -2013-2012) as the time stamp can be faked but can be helpful for finding variants.

Hundreds of domains pointing to these name servers are listed below as one list. If you see ".com" in the list, this is a name sever and is where the next batch of domains begins. You should see batches for these name servers (1500+) that are associated with Redkit, Blackhole and other exploit kits mostly delivering Kelihos/Hlux and sometimes Virut, that has been associated with this botnet as well (Jan. 2013 - Waledac Gets Cozy with Virut - Symantec). Some domains were moved to new name servers as the old ones were suspended. (for example, many domains were moved from ns[1-6].systeat.com to ns[1-6].turbusy.com.

ns[1-6].boomsco.com - domains registered on 2013-01-13 << most active now

ns[1-6].larstor.com - domains registered on 2012-12-22 << most active now

ns[1-6].berchae.com (suspended) - domains registered on 2012-12-21

ns[1-6].zempakiv.ru - domains registered on 2012.12.07 << most active now

ns[1-6].newrect.com - domains registered on 2012-08-01

ns[1-6].turbusy.com - domains registered on 2012-12-07

ns[1-6].chokode.com (suspended) - domains registered on 2012-09-06

ns[1-6].biocruc.com (suspended) - domains registered on 2012-07-15

ns[1-6].systeat.com (suspended) - domains registered on 2012-07-07

ns[1-6].affour.com (suspended) - domains registered on 2012-06-29

ns[1-6].reetsp.com (suspended) - domains registered on 2012-06-29

ns[1-6].oparle.com - domains registered on 2012-06-05

ns[1-6].toastop.com (suspended) - domains registered on 2012-05-27

ns[1-6].ocorti.com (suspended) - domains registered on 2012-04-21

ns[1-6].esanty.com (suspended) - domains registered on 2012-04-09

ns[1-6].diastr.com (suspended) - domains registered on 2012-04-09

ns[1-6].snapoli.com (suspended) - domains registered on 2012-04-02

ns[1-6].maguiso.com (suspended) - domains registered on 2012-03-05

ns[1-6].swartra.com - domains registered on 2011-10-12

EU domains

ns[1-6].frostli.com (suspended) - domains registered on 2012-04-21

ns[1-6].pizzebu.com (suspended) - domains registered on 2012-01-13

IN domains

ns[1-6].firstara.com - domains registered on 2012-3-8

CE.MS domains (used before 2012)

ns[1-6].roblect.com - domains registered on 2011-12-01

ns[1-6].galloma.com - domains registered on 2011-10-31

Domain list
All known domains sorted by the name server and age (newest on top - see the name server registration dates on top) If you see any machines connecting to any of these domains, it is likely be infected. Listed by nameservers and NS create date. There is some duplicates in the list as same domain could move from one NS to another.

Malware functionality and system changes.
Based on 0C921935F0880B5C2161B3905F8A3069 - active fresh sample, first seen by Virus 2013-02-06, PE date stamp 2011-30-10.

We also analyzed fresh samples with 2013 PE date stamps and observed same / similar functionality (some lack some features like Firefox or FTP password stealing or while others have the full set). Compared to Dec. 2012 post by abuse.ch, the overall functionality did not change much.

iMimeMessageTree api calls: iMimeMessageTree parses and creates Internet messages. IMimeMessageTree treats a message as a tree of bodies where each body has a header and associated content. It gives a client the most flexible, low-level access to a message. Read more MimeMessageTree Interface http://msdn.microsoft.com/en-us/library/ms711715(v=vs.85).aspx

2 comments:

Perfect research ! ThanksCan you tell me the tool of the IP flow around the earth. I'm sysadmin, and to follow some suspicious trafic that i give to my boss (the report) it will be perfect if i give screens like this.